diff options
| author | Mark Longair <mhl@pobox.com> | 2013-06-17 09:53:29 +0100 |
|---|---|---|
| committer | Mark Longair <mhl@pobox.com> | 2013-06-17 12:25:13 +0100 |
| commit | 64ae21945a69441ad6a58a1069417e7a56cc15f6 (patch) | |
| tree | 33a6d8002327856e290c717a77bdca36ecef5b3a | |
| parent | e31d6252d206afb155d09eb54fb068f7695880d1 (diff) | |
Fix a security vulnerability: eval used in quoting display name0.11.0.12
This use of eval allows arbitrary remote code execution on
parsing of a maliciously formed email.
Two tests are updated to match the behaviour of the new
code to return the display name - these introduce extra
escaping, so should be innocous.
| -rw-r--r-- | lib/mail_handler/backends/mail_backend.rb | 2 | ||||
| -rw-r--r-- | spec/lib/mail_handler/mail_handler_spec.rb | 2 | ||||
| -rw-r--r-- | spec/mailers/outgoing_mailer_spec.rb | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb index 561946980..28c486e1b 100644 --- a/lib/mail_handler/backends/mail_backend.rb +++ b/lib/mail_handler/backends/mail_backend.rb @@ -112,7 +112,7 @@ module MailHandler if first_from.is_a?(ActiveSupport::Multibyte::Chars) return nil else - return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil + return (first_from.display_name || nil) end else return nil diff --git a/spec/lib/mail_handler/mail_handler_spec.rb b/spec/lib/mail_handler/mail_handler_spec.rb index 272b56d0b..d6e7ba5d2 100644 --- a/spec/lib/mail_handler/mail_handler_spec.rb +++ b/spec/lib/mail_handler/mail_handler_spec.rb @@ -223,7 +223,7 @@ describe 'when deriving a name, email and formatted address from a message from it 'should quote a name with quotes in it' do should_render_from_address('"FOI \" Person" <foiperson@localhost>', - ['FOI " Person', + ['FOI \" Person', 'foiperson@localhost', '"FOI \" Person" <foiperson@localhost>']) end diff --git a/spec/mailers/outgoing_mailer_spec.rb b/spec/mailers/outgoing_mailer_spec.rb index 5d1ea2dfb..0ae31801c 100644 --- a/spec/mailers/outgoing_mailer_spec.rb +++ b/spec/mailers/outgoing_mailer_spec.rb @@ -53,7 +53,7 @@ describe OutgoingMailer, " when working out follow up addresses" do # check the basic entry in the fixture is fine OutgoingMailer.name_and_email_for_followup(ir, im).should == "\"FOI \\\" Person\" <foiperson@localhost>" - OutgoingMailer.name_for_followup(ir, im).should == "FOI \" Person" + OutgoingMailer.name_for_followup(ir, im).should == "FOI \\\" Person" OutgoingMailer.email_for_followup(ir, im).should == "foiperson@localhost" end |